b'OFFICE OF INSPECTOR GENERAL \n\n\nAUDIT OF THE OVERSEAS\nPRIVATE INVESTMENT\nCORPORATION\'S FISCAL YEAR\n2013 COMPLIANCE WITH\nPROVISIONS OF THE FEDERAL\nINFORMATION SECURITY\nMANAGEMENT ACT OF 2002\nAUDIT REPORT NO. A-OPC-13-006-P\nSEPTEMBER 26, 2013\n\x0cThis is a summary of our report on "Audit of the Overseas Private Investment Corporation\'s\nFiscal Year 2013 Compliance With Provisions of the Federal Information Security Management\nAct of 2002." The Federal Information Security Management Act of 2002 (FISMA) requires\nagencies to develop, document, and implement an agency-wide information security program to\nprotect their information and information systems, including those provided or managed by\nanother agency, contractor, or other source. The act also requires agencies to have an annual\nassessment of their information systems.\n\nThe Office of Inspector General (OIG) contracted with the independent certified public\naccounting firm of Cotton & Company LLP to conduct the audit. Cotton was required to conduct\nthe audit in accordance with U.S. Government auditing standards. The objective was to\ndetermine whether the Overseas Private Investment Corporation (OPIC) implemented selected\nminimum security controls for selected information systems to reduce the risk of data tampering,\nunauthorized access to and disclosure of sensitive information, and disruptions to OPIC\'s\noperations.\n\nThe audit concluded that OPIC implemented 51 of the 69 tested security controls. For example,\nthe following controls were operating effectively:\n\n\xe2\x80\xa2   Security control assessments and system authorization processes\n\n\xe2\x80\xa2   Incident response capabilities\n\n\xe2\x80\xa2   Security categorization and risk assessment processes\n\n\xe2\x80\xa2   Information system documentation\n\n\xe2\x80\xa2   Configuration change control\n\nHowever, Cotton identified several weaknesses in OPIC\'s information security controls. Based\non Cotton\'s report, OIG made 14 recommendations to help OPIC strengthen its information\nsecurity program. Management decisions were made on all 14 recommendations, and final\naction was taken on one of them. However, OIG did not agree with one management decision\nand encouraged OPIC to revise it to fully address the weaknesses identified in Cotton\'s audit\nreport.\n\x0cu.s. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW \n\n          Washington, DC 20523 \n\n            Tel: 202-712-1150 \n\n            Fax: 202-216-3047 \n\n           http://oig.usaid.gov\n\x0c'